How To Set Up Private IP Segregation with CloudPassage in the GoGrid Cloud

September 29th, 2011 by - 17,996 views

CloudPassage is a key security partner that has images available on the GoGrid Partner Exchange. The CloudPassage images on GoGrid come pre-installed with their Halo daemon. This is available on CentOS, Debian, Red Hat, and Ubuntu on both 32-bit and 64-bit flavors. Alternately, you can launch a GoGrid base image and install the Halo daemon on your own. This tutorial assumes that you have a basic understanding of Linux and SSH as well as basic firewall strategies. It also assumes that you know how to configure private IPs so that will not be covered here.

Launch a server with the CloudPassage Halo daemon


In your account, add a cloud server. You will be presented with a screen where you can select all the images available to customers on GoGrid. If you enter “Halo” in the name field, it will filter for only the CloudPassage partner images. For this tutorial, I will be using the Ubuntu x64 version on US-West-1.

Register for CloudPassage


While your server is spinning up, go ahead and go to this link and register for CloudPassage (if you haven’t already). One of the advantages of CloudPassage is that you can centrally manage your security from a single web site.

Retrieving your CloudPassage API key


Once you have registered, you will want to pull your CloudPassage API key. Navigate to “Settings > Site Administration > API Keys” to retrieve your CloudPassage API key. Check your email spam folder if you haven’t received an email from CloudPassage. To have future emails from CloudPassage delivered to your Inbox, add to your safe senders list.

Upgrade your existing daemon

Log back into the Ubuntu server that you just provisioned. It’s a good practice to change the pre-assigned password so do that first. Next, you will want to upgrade the existing Halo daemon to make sure that you are using the latest version.

Run at the prompt:

apt-get update && apt-get install cphalo

Start the daemon with your API key


At the prompt enter:

/etc/init.d/cphalod start --api-key= <your CloudPassage API Key here>

to start the CloudPassage Halo daemon on your cloud server.
This will start the daemon and link the server to your account on Cloud Passage. If you go to Servers > Server Access you will see your server listed.

Create a new Firewall Policy


Next, go to Policies > Firewall Policies. Click on the button “Add New Firewall Policy”.
You will then be presented with a page where you can set the inbound and outbound rules.

I am going to create a rule on the private network (eth1) that allows only one private IP address to access this server. For the first inbound rule, select “eth1″ from the Interface drop-down.

Determine which IP can access your server


CloudPassage has the concept of IP Zones which is a grouping of IP addresses. At the Source drop-down, select “Add New” to create a new IP Zone. I have created a new Zone called “Access OK” and assigned it only one IP address. You can also assign a block of IPs or separate IP addresses. Click the Create button which will set the IP Zone as the default selection for the Source drop-down. Leave Service as “any, ” Conn. State as “Any”. Action as “ACCEPT”.

Set the default-deny rule


For this tutorial, I am just setting up access for one private IP into this server and blocking every other IP. This will only work if you configure a static private IP for the server you want to give access to. Alternately, you can select a predefined Server Group in the Source drop-down but servers will only appear there if you install the Halo daemon. Since our images are set to use DHCP for private IP assignment, you will still need to set a static private IP for this to work.

A best practice is set the last rule as a default-deny. This will prevent any other connections from accessing the server. Note that this configuration is only to control private IPs – this policy has no rules for public traffic. Realistically, you will want to control this as well in order to prevent external access to your servers. However, this tutorial is focused on demonstrating that private IPs can also be controlled centrally.

Click on the “Add” link as shown on the screen shot. This creates a default-deny rule. Make sure to select “eth1″ for the Interface drop-down or else you will lock out your public access as well.

Click Apply once you have made that change.

Assign the Policy to your server


First, go to Servers > Firewall Management. Your server will most likely not be assigned to any server group so it will be in the (1) Unassigned Group. Since the Firewall Policy is assigned at a group level, create a new group for this server by (2) clicking on the Link “Add a New Group”.

Select the Firewall Policy for the Group


After clicking on “Add a New Group” you will see a form where you can select the Policy that you just created and name the new group. Note that this policy is set GROUP wide so you can assign any new servers to this group and it will then have that Firewall policy applied. I have named this group “Private Network” and selected the Firewall Policy that I just created “Private Network Access”. Click “Save” when you are done with this form.

Move your server from Unassigned to the new group


Now that you have create a new Server Group, you will want to move your server to that group. (1)Click on the check box on the right of the server and on the (2) Actions drop-down select “Move Server(s). You will then be presented with a form – simply select the new group that you created (called Private Network in this tutorial) and then click the “Move Servers” button.

You’re done!

This configuration will then allow for you to assign certain private IPs to have access to your server while blocking others. This will help a few use cases:

1. You have a group of users who each have 3 servers and want only the three that they own to access each other via the private network. You can configure cloud passage to allow access to those 3 servers and block the other users servers. This will provide private network isolation that can be centrally managed via the CloudPassage Portal.
2. You have a group of web servers but you only want one to access your back-end servers via the private network.

Using CloudPassage is a great way to centrally manage security on any numbers of servers that you might have running on the GoGrid cloud. While, this tutorial has focused on the private network, CloudPassage is also excellent at manage firewalls for public access as well. Install their image and start using it to protect your servers today!

The following two tabs change content below.

Rupert Tagnipes

Director, Product Management at GoGrid
Rupert Tagnipes is Director of Product Management at GoGrid who is responsible for managing and expanding the company’s multiple product lines. His focus is on leveraging his technical background and industry knowledge to drive product innovation and increase adoption of the cloud. He has extensive software product experience at technology companies in Silicon Valley solving data analytics and cloud infrastructure problems for customers across multiple industries.

Latest posts by Rupert Tagnipes (see all)

2 Responses to “How To Set Up Private IP Segregation with CloudPassage in the GoGrid Cloud”

  1. Carson Sweet says:

    Rupert, thanks for the great recipe.

    A quick word on supported operating systems — our Halo roadmap includes Windows firewall management support using exactly the same policies and interface. This support is scheduled roll out year-end. We know that this is important for many GoGrid customers, and we're listening.

Leave a reply